Data Protection & Cybersecurity
Together we deliver advanced technology products & services that solve some of the worlds most difficult challenges. This makes SNC, its suppliers, and its customers potential targets for cyber attacks. It's ever important that we understand these threats and the joint responsibility necessary to secure our supply chain.
Adequate Security
Contractors must provide adequate security on all covered contractor information systems. A “covered contractor information system” is defined as an unclassified information system that is owned, or operated by or for, a contractor and that processes, stores, or transmits covered defense information.
Cyber Incident Reporting
When a cyber incident is discovered, contractors must conduct a review for evidence of compromise of covered defense information and report to the DoD at http://dibnet.dod.mil and SNC within 72 hours. A “cyber incident” is defined as actions taken through the use of computer networks that result in a compromise or an actual or potentially adverse effect on an information system and/or the information residing therein.
Supplier Flow Down
When engaging with other suppliers that require access to covered defense information in performance of a contract, include the DFARS 252.204-7012 clause in any subcontracts, or similar contractual instruments with those suppliers.
CMMC 2.0 DFARS 252.204-7021: The DoD published DFARS 252.204-7021, Contractor Compliance with the Cybersecurity Maturity Model Certification (CMMC) Program, as a crucial step to bolster the cybersecurity posture of the defense industrial base (DIB) and protect sensitive unclassified information. This clause introduces a standardized, tiered approach to cybersecurity, moving beyond self-attestation to include third-party assessments for many contractors. The DFARS 252.204-7021 clause includes the following key requirements:
CMMC Certification Requirement: Contractors must possess a current (not older than three years) CMMC certificate at the level specified in the contract and maintain this certification throughout the contract's duration. The required CMMC level (Level 1, 2, or 3) depends on the type and sensitivity of information processed, stored, or transmitted, specifically Federal Contract Information (FCI) and Controlled Unclassified Information (CUI).
Annual Affirmation of Continuous Compliance: Beyond the initial certification, contractors are required to provide an annual affirmation by a senior company official, verifying continuous compliance with the cybersecurity requirements applicable to their CMMC level.
Lapse in Information Security and CMMC Status Reporting: Contractors must notify the contracting officer within 72 hours of any "lapses in information security" or changes in the status of their CMMC certificate or CMMC self-assessment levels during the performance of the contract. This emphasizes ongoing vigilance and immediate reporting of any potential compromise.
Continued Diligence
It is imperative that all SNC subcontractors and/or suppliers meet DFARS requirements as necessary. Together our continued diligence will protect vital information, minimize risks and secure competitive advantage for all parties.
Cyber Security Resources
- DoD Cyber Security Evaluation Tool (scroll down to C/SET)
- NIST MEP Cybersecurity Self-Assessment Handbook
- DoD Procurement Toolbox
- DFARS 252.204-7012 [OCT 2016]
- DFARS Clause 252.204-7012
- DoD CIO - Cybersecurity Maturity Model Certification (CMMC)
- DoD CIO - CMMC Resources & Documentation
- NIST SP 800-171 Rev 2
- NIST SP 800-171A
- NIST 800-53R4, Security and Privacy Controls for Federal Information Systems
- National Initiative for Cybersecurity Information (NICE)
- OMB's Guidance
- New NIST Guide Helps Small Businesses Improve Cybersecurity
- S. Small Business Administration – Cybersecurity
- S. Small Business Administration - Training Exercise
- Homeland Security - Stop.Think.Connect. Small Business Resources